ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ba666dfbf1d3aa485a10f3d179215205c755333
infra-automation/cheatsheets/test-deploy-linux-vm-role.md
Infrastructure Team 5ba666dfbf Add quick reference cheatsheets for all playbooks 
Cheatsheets created:
- deploy-debian12-vm.md - Basic Debian 12 deployment reference
- deploy-debian-lvm-netinst.md - Network installer with native LVM
- deploy-linux-vm.md - Multi-distribution quick reference
- deploy-linux-vm-lvm.md - Multi-distro with post-config LVM
- deploy-linux-vm-role.md - Role-based deployment guide
- test-deploy-linux-vm-role.md - Testing and validation procedures

Each cheatsheet includes:
- Quick deployment commands
- Variable reference tables
- Tag-based execution examples
- Post-deployment verification steps
- LVM management commands (where applicable)
- Troubleshooting procedures
- Security validation steps
- VM management commands
2025-11-10 22:52:11 +01:00

11 KiB
Raw Blame History

Test Deploy Linux VM Role - Quick Reference

Playbook

plays/test-deploy-linux-vm-role.yml

Description

Test playbook for the deploy_linux_vm role. Deploys a Debian 12 test VM with full LVM configuration and SSH hardening (GSSAPI disabled) to validate role functionality.

Quick Test

Run Full Test

ansible-playbook plays/test-deploy-linux-vm-role.yml

Test with Different Distribution

# Test with Ubuntu
ansible-playbook plays/test-deploy-linux-vm-role.yml \
  -e "deploy_linux_vm_os_distribution=ubuntu-22.04"

# Test with AlmaLinux
ansible-playbook plays/test-deploy-linux-vm-role.yml \
  -e "deploy_linux_vm_os_distribution=almalinux-9"

Test with Custom Resources

ansible-playbook plays/test-deploy-linux-vm-role.yml \
  -e "deploy_linux_vm_vcpus=4" \
  -e "deploy_linux_vm_memory_mb=4096"

Test Configuration

Default Test Settings

VM Name: test-lvm-vm
Hostname: test-lvm
Distribution: debian-12
vCPUs: 2
Memory: 2048 MB
Disk: 20 GB
LVM: Enabled (30GB on /dev/vdb)

Features Being Tested

LVM configuration (CLAUDE.md compliant) SSH hardening (GSSAPI disabled) Multi-distribution support Security features (Firewall, SELinux/AppArmor, Audit) Automatic updates Cloud-init provisioning

Test Execution Flow

1. Pre-flight Validation

  • Checks if test VM already exists
  • Validates distribution support
  • Verifies virtualization capabilities

2. VM Deployment (~2-3 minutes)

  • Downloads cloud image (if not cached)
  • Creates primary disk (20GB)
  • Creates LVM disk (30GB on /dev/vdb)
  • Generates cloud-init with security hardening
  • Deploys VM with both disks

3. LVM Configuration (~3-5 minutes)

  • Installs LVM packages
  • Creates vg_system volume group
  • Creates 8 logical volumes
  • Formats filesystems
  • Migrates existing data
  • Updates /etc/fstab

4. Validation

  • Verifies VM is running
  • Checks SSH connectivity
  • Validates LVM configuration
  • Confirms security features

Total Test Time: ~5-8 minutes

Post-Test Verification

Get Test VM Information

# Get IP address
ssh grokbox "virsh domifaddr test-lvm-vm"

# SSH to test VM
ssh -J grokbox ansible@<VM_IP>

Verify LVM Configuration

# Check LVM status
ssh -J grokbox ansible@<VM_IP> "sudo pvs && sudo vgs && sudo lvs"

# Expected output:
# VG: vg_system
# PV: /dev/vdb (30.00g)
# LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap

Verify SSH Hardening

# Check GSSAPI is disabled
ssh -J grokbox ansible@<VM_IP> "sudo sshd -T | grep -i gssapi"

# Expected output:
# gssapiauthentication no
# gssapicleanupcredentials no

Verify Security Features

# Check firewall (Debian)
ssh -J grokbox ansible@<VM_IP> "sudo ufw status"

# Check SELinux (RHEL - if testing RHEL family)
ssh -J grokbox ansible@<VM_IP> "getenforce"
# Expected: Enforcing

Reboot and Verify LVM Mounts

# Reboot test VM
ssh -J grokbox ansible@<VM_IP> "sudo reboot"

# Wait ~1 minute, then verify all mounts
ssh -J grokbox ansible@<VM_IP> "df -h && lsblk"

# Check all LVM volumes are mounted
ssh -J grokbox ansible@<VM_IP> "mount | grep vg_system"

Tag-Based Testing

Test Specific Components

# Test pre-flight validation only
ansible-playbook plays/test-deploy-linux-vm-role.yml --tags validate,preflight

# Test VM deployment only (skip LVM)
ansible-playbook plays/test-deploy-linux-vm-role.yml --skip-tags lvm

# Test LVM configuration only (if VM exists)
ansible-playbook plays/test-deploy-linux-vm-role.yml --tags lvm,post-deploy

# Test cloud-init generation only
ansible-playbook plays/test-deploy-linux-vm-role.yml --tags cloud-init

Test Validation Checklist

Complete this checklist to validate test success:

Basic Functionality

  • Playbook completes without errors
  • VM created: virsh list | grep test-lvm-vm
  • IP assigned: virsh domifaddr test-lvm-vm
  • SSH accessible: ssh -J grokbox ansible@<VM_IP>

LVM Configuration

  • Physical volume exists: sudo pvs shows /dev/vdb
  • Volume group created: sudo vgs shows vg_system
  • All 8 LVs created: sudo lvs shows all volumes
  • Filesystems formatted: lsblk -f shows ext4/swap
  • Fstab updated: cat /etc/fstab | grep vg_system
  • After reboot, all mounted: df -h | grep vg_system

SSH Security

  • GSSAPI disabled: sudo sshd -T | grep gssapiauthentication shows "no"
  • GSSAPI cleanup disabled: sudo sshd -T | grep gssapicleanupcredentials shows "no"
  • Root login disabled: sudo sshd -T | grep permitrootlogin shows "no"
  • Password auth disabled: sudo sshd -T | grep passwordauthentication shows "no"
  • Key-based auth works: SSH connection successful

Security Features

  • Firewall enabled: sudo ufw status (Debian) or sudo firewall-cmd --state (RHEL)
  • Audit daemon running: systemctl status auditd
  • Time sync active: chronyc tracking
  • SELinux enforcing (RHEL): getenforce shows "Enforcing"

System Health

  • Cloud-init complete: cloud-init status shows "done"
  • System updated: Package updates applied during cloud-init
  • No errors in logs: Check /var/log/cloud-init-output.log
  • Swap active: free -h | grep Swap shows non-zero

Cleanup After Testing

Delete Test VM

# Stop and remove test VM
ssh grokbox "virsh destroy test-lvm-vm"
ssh grokbox "virsh undefine test-lvm-vm --remove-all-storage"

# Verify removal
ssh grokbox "virsh list --all | grep test-lvm-vm"
# Should return nothing

Clean Test Files

# On hypervisor, remove any temporary files
ssh grokbox "rm -f /tmp/cloud-init-test-lvm-vm/*"
ssh grokbox "rm -f /tmp/*-CHECKSUM"

Testing Different Distributions

Test Debian Family

# Debian 12
ansible-playbook plays/test-deploy-linux-vm-role.yml \
  -e "deploy_linux_vm_os_distribution=debian-12" \
  -e "deploy_linux_vm_name=test-debian12"

# Ubuntu 22.04
ansible-playbook plays/test-deploy-linux-vm-role.yml \
  -e "deploy_linux_vm_os_distribution=ubuntu-22.04" \
  -e "deploy_linux_vm_name=test-ubuntu22"

Test RHEL Family

# AlmaLinux 9
ansible-playbook plays/test-deploy-linux-vm-role.yml \
  -e "deploy_linux_vm_os_distribution=almalinux-9" \
  -e "deploy_linux_vm_name=test-alma9"

# Rocky Linux 9
ansible-playbook plays/test-deploy-linux-vm-role.yml \
  -e "deploy_linux_vm_os_distribution=rocky-9" \
  -e "deploy_linux_vm_name=test-rocky9"

Troubleshooting Tests

Test Fails at Pre-flight

# Check if test VM already exists
ssh grokbox "virsh list --all | grep test-lvm-vm"

# If exists, delete it
ssh grokbox "virsh destroy test-lvm-vm"
ssh grokbox "virsh undefine test-lvm-vm --remove-all-storage"

# Re-run test
ansible-playbook plays/test-deploy-linux-vm-role.yml

LVM Configuration Fails

# Check if second disk is attached
ssh grokbox "virsh domblklist test-lvm-vm"

# Should show both:
# - test-lvm-vm.qcow2 (primary)
# - test-lvm-vm-lvm.qcow2 (LVM disk)

# Verify disk visibility on VM
ssh -J grokbox ansible@<VM_IP> "lsblk"
# Should show vda (20G) and vdb (30G)

SSH Connection Issues

# Check VM is running
ssh grokbox "virsh list | grep test-lvm-vm"

# Get IP again
ssh grokbox "virsh domifaddr test-lvm-vm"

# Test with verbose SSH
ssh -vvv -J grokbox ansible@<VM_IP>

# Check SSH service on VM (via console)
ssh grokbox "virsh console test-lvm-vm"

GSSAPI Still Enabled

# Check SSH config file was created
ssh -J grokbox ansible@<VM_IP> "ls -la /etc/ssh/sshd_config.d/"

# View security config
ssh -J grokbox ansible@<VM_IP> "cat /etc/ssh/sshd_config.d/99-security.conf"

# Restart SSH service
ssh -J grokbox ansible@<VM_IP> "sudo systemctl restart sshd"

# Test again
ssh -J grokbox ansible@<VM_IP> "sudo sshd -T | grep gssapi"

Continuous Testing

Automated Test Suite

Create a test script for continuous validation:

#!/bin/bash
# test-role.sh

DISTRIBUTIONS=(
  "debian-12"
  "ubuntu-22.04"
  "almalinux-9"
  "rocky-9"
)

for distro in "${DISTRIBUTIONS[@]}"; do
  echo "Testing $distro..."

  ansible-playbook plays/test-deploy-linux-vm-role.yml \
    -e "deploy_linux_vm_os_distribution=$distro" \
    -e "deploy_linux_vm_name=test-$distro"

  if [ $? -eq 0 ]; then
    echo "✅ $distro test PASSED"
    # Cleanup
    ssh grokbox "virsh destroy test-$distro && virsh undefine test-$distro --remove-all-storage"
  else
    echo "❌ $distro test FAILED"
    exit 1
  fi
done

echo "All tests completed successfully!"

Expected Test Output

Successful test execution should show:

PLAY [Test Deploy Linux VM Role] ***********************************

TASK [Gathering Facts] *********************************************
ok: [grokbox]

...

TASK [deploy_linux_vm : Display LVM configuration summary] ********
ok: [grokbox] => {
    "msg": [
        "=== LVM Configuration Complete ===",
        "Volume Group: vg_system",
        "Physical Volume: /dev/vdb (30GB)",
        "Logical Volumes: 8",
        "",
        "⚠️  IMPORTANT: VM needs reboot to use new mounts",
        "After reboot, LVM volumes will be mounted automatically"
    ]
}

TASK [Display test completion message] *****************************
ok: [grokbox] => {
    "msg": [
        "╔════════════════════════════════════════════════════════════════╗",
        "║              Role Test Completed Successfully                  ║",
        "╚════════════════════════════════════════════════════════════════╝",
        "",
        "VM deployed with:",
        "  ✓ LVM Configuration (CLAUDE.md compliant)",
        "  ✓ SSH Hardening (GSSAPI disabled)",
        "  ✓ Security Features (Firewall, Audit, Auto-updates)",
        "  ✓ Multi-distribution support",
        "",
        "Next steps:",
        "  1. SSH to VM: ssh -J grokbox ansible@192.168.122.X",
        "  2. Verify GSSAPI: sudo sshd -T | grep -i gssapi",
        "  3. Check LVM: sudo vgs && sudo lvs",
        "  4. Reboot for LVM: sudo reboot",
        "  5. After reboot verify: df -h && lsblk"
    ]
}

PLAY RECAP *********************************************************
grokbox: ok=X changed=Y unreachable=0 failed=0 skipped=Z

Test Documentation

This test validates:

  1. Role Structure: Proper task organization and variable handling
  2. Multi-Distribution: Works across Debian, Ubuntu, RHEL families
  3. LVM Implementation: Creates CLAUDE.md compliant LVM layout
  4. SSH Security: GSSAPI disabled, key-only authentication
  5. Security Hardening: Firewall, SELinux/AppArmor, audit daemon
  6. Cloud-Init: Proper provisioning and package installation
  7. Idempotency: Can be re-run without errors

Related Documentation

  • Role README: roles/deploy_linux_vm/README.md
  • Role cheatsheet: cheatsheets/deploy-linux-vm-role.md
  • CLAUDE.md: Infrastructure requirements
  • Test playbook: plays/test-deploy-linux-vm-role.yml

Support

For test failures:

  • Check playbook output for specific error messages
  • Review role tasks: roles/deploy_linux_vm/tasks/
  • Check VM logs: /var/log/cloud-init-output.log
  • Verify hypervisor resources: disk space, memory
  • Consult role README for detailed troubleshooting
Reference in New Issue View Git Blame Copy Permalink